US Government’s Role in Vulnerability Disclosure
In this discussion paper, published by the Belfer Center in June 2016 the authors discuss the dilemma that government agencies confront when the discover or purchase zero day vulnerabilities: should the government disclose such vulnerabilities, and thus allow them to be fixed, or should the government retain them for national security purposes? This is a difficult question because the government is simultaneously charged with protecting the nation in cyberspace and with intelligence, law enforcement, and military missions that may require the use of such vulnerabilities. A decision by the government to retain a zero day vulnerability likely undercuts general cybersecurity, while disclosing information about a zero day vulnerability so vendors can patch it could undercut the ability of law enforcement to investigate crimes, intelligence agencies to gather intelligence, and the military to carry out offensive cyber operations.
The authors explore the debate over this complex issue and outline the various positions, and look at the Vulnerability Equities Process ("VEP"), and attempted to explain how the government determines whether to release or retain a zero day vulnerability.
To read the full discussion paper follow this link